Appendix 1: edgenet
The spy state cannot be voted out of office. It eats laws for breakfast and excretes excuses for breaking them. We will either build a spy-proof Internet, that cannot be banned or controlled, or we accept to become slaves.
Let me recap the three main points of attack on the privacy of our communications:
The centralized servers where we meet to share information. These can be hacked, or their owners ordered to hand over information. No matter what encryption you use between your PC and the server, data is held unprotected on servers.
The client PCs and devices where we run our browsers. These are often laden with spyware, or hacked individually when the case needs it, in a "targeted attack."
The broadband connections across which the clients talk to the servers. Broadband providers record metadata and provide it to the authorities as a matter of course.
A full-spectrum attack, such as the FBI's takedown of Freedom Hosting in 2013, hits each of these three vulnerabilities. They arrested the server operator, and with his help, put code on the sites he hosted. This code attacked the users' web browsers, and exposed their IP addresses, and thus real identities, though the broadband providers. Finally they took down the server, killing all websites that ran on it. So much for the Deep Web.
If the Web is not safe, and the Deep Web is not safe, what is? There is only one long term answer, and that is a new web that lives "off the grid," treating central websites and broadband connections with the full distrust they deserve.
Living on the Edge
To build truly secure communities, we must address all three of these weak points. It's not sufficient to improve our encryption to create a more robust Deep Web. Rather, we need a radical rethink of how we build digital communities in the first place. We need a new kind of Internet, which I'll call edgenet, that is resistant to all threats except targeted attacks.
Targeted attacks are costly, so the goal of edgenet is to make it unbearably expensive to spy on us, and extremely cheap to guard against this, in other words to reverse the current balance of power where it's extremely cheap to spy on us, and unbearably expensive to guard against it.
edgenet exists without any centralized infrastructure and is essentially invisible to the spy state unless it makes a great effort. Since we cannot trust ISPs with our metadata, we cannot trust the last mile of the Internet. So no 3G or 4G, no ADSL at home or the office, not even dial up modems, for anything that has to be secure. Similarly, since any centralized service is a single point of failure, we cannot trust a web based on centralized services.
Instead of centralized services that we access over commercial broadband, edgenet builds on two alternative technologies, which though not new, have been difficult to exploit until recently:
- True peer-to-peer connections that cannot easily be monitored.
- Distributed services that cannot easily be monitored or broken.
edgenet is not an original idea. People have been trying to build decentralized "mesh networks" for a long time. In the past, building a mesh network was technically hard, since it depended on specialized WiFi hardware and firmware. Some did build these, on a small scale, and there is even an official WiFi protocol for mesh since in 2011. However, off-the-shelf WiFi equipment does not support mesh without modification, so the technology is out of reach for ordinary people.
However the vision of large-scale mesh networks running on off-the-shelf hardware and software is becoming more realistic, thanks to the same technology that brought the Internet to Africa, namely smartphones. Smartphones have rewritten the old rules about what is possible on the edge of the Internet. They potentially take the Internet back to its roots, before the web. This sounds retrograde, yet to build edgenet we have to undo the whole concept of a heavily-centralized Web and reconstruct our communications around a very different animal.
We need a "fabric," that is, a decentralized network of computers that can talk to each other without that vulnerable dependence on broadband connections. I'm going to explain how to create a fabric that can stretch at least across cities, and possibly across the globe. Then, we need applications that can use that fabric to create new social networks. One step at a time; this is a delicate story. Let's start with the fabric.
The Invisible Fabric
Once upon a time, the Internet was a worldwide network of servers, mostly in universities, and all more or less equal. If you wanted to run an application like email, or gopher, or FTP, you would log onto a server and work there, in a "terminal window." There were some powerful workstations -- like the SPARCstation from Sun -- that could speak TCP/IP, though these were effectively servers too, and ran like them.
Then Windows 95, the first decent version of Windows, helped launch the "some are more equal than others" web that dominates today. The combination of a workable TCP stack (originally, Trumpet Winsock, and belatedly, Microsoft's own stack), an affordable home computer, and the graphical web browser formed the basis for cheap and scalable connectivity.
Many people tried to use their PCs as "home servers." One of my popular fin du siecle free software programs, Xitami, turned a Windows PC into a fast little web server. Nonetheless, most of us learned to use our PCs as thin clients, especially by 2005 or so, when web applications became powerful enough to replace desktop applications. Today, PCs are rarely used for anything intensive except high-end gaming.
There were some very successful mesh-like applications up until 2005 or so, including Skype (before Microsoft changed Skype to use centralized servers). However even pre-Microsoft Skype and infamous P2P file sharing protocols like BitTorrent all worked through the broadband connection, allowing the ISPs to see all the traffic, filter it, log it, and so on.
The Internet was based on a promise of a smart edge (computers) connected over a dumb fabric (TCP/IP), and then the Web turned that inside out, giving us a dumb edge (thin clients) talking to a smart center (websites). The web model is cheap, scalable, and profitable. However, as we see, it is so very vulnerably to malfeasance. I'm not just speaking of the spy state and its voyeuristic hate of our privacy. Among the crooks, I also count the cartels of broadband providers, the movie and record associations with their lawsuits against people sharing music and movies, and governments legislating what we can say, and do, with whom.
Cost gravity comes to the rescue. Smartphones can do many things, such as break when you drop them, and run up extraordinary roaming data bills. They do three things that interest me specifically:
- They are mobile, so where there are people, there are smartphones, charged and working.
- They are powerful, so where there are people, there are powerful computers.
- They almost all have WiFi capabilities. So where there are people, there are powerful computers, capable of talking to each other.
And of course, for many of us, the smartphone is also our main user interface, for photos, tweets, Facebook messages, email. That means the smartphone in our pocket can act much like those Sun SPARCstations from the 1990's: server and client at the same time. Actually even a cheap smartphone is around 25 times more powerful than those so-called "pizza boxes." Finally, there are enough people carrying smartphones to create viable city-wide meshes. All this is recent, and it's what makes edgenet possible today whereas it was impractical even as late as 2010.
Now I'll explain the details, trying not to get too technical. Most of us know that our phones can connect to the WiFi hotspots around us. It's how we play YouTube videos at home without exhausting our mobile Internet quotas. What few people realize is that two phones can often see each other, and chat, over these hotspots. In other words, without using any broadband, and without any traffic going out over the public Internet.
This is called a "client-to-client" connection. Client-to-client connections work on most WiFi access points (that is, the little box with antennas that creates the hotspot) that you buy, and most that you'll find in cities. There are exceptions. For example the AT&T hotspots in Starbucks across the US do not allow client-to-client connections.
If you think this through, you may see the possibilities. When you are at home, or in the office, or in a café with a friendly WiFi hotspot, you can connect a bunch of phones, tablets, and laptops together in interesting ways. This is not a hypothesis. There are applications that stream video from a phone or tablet to a WiFi-enabled TV, or a TV with some dongle, like Google's Chromecast, attached. In 2011-2012, my firm designed such technology for a large electronics firm, and it's in use on their smartphones today. I also wrote an open source library called Zyre that does this -- if you run it on a phone, it will look for any other phone also running Zyre, connect to it, and then let applications exchange data.
When you are out and about in the street, things become more fun. It's harder to find friendly WiFi hotspots. And even if you do, you have to stay within 10-30 yards of the hotspot for things to work. The "inverse power law" means that if two antennae (like the WiFi access point and your phone) move twice as far apart, they need to use four times as much energy to talk to each other.
All modern smartphones -- since 2010 or so -- can create their own WiFi hotspots at will, unless the ability has been disabled by the phone company. AT&T, for example. So if you have a smartphone in your pocket that is running Zyre, and you're walking in the street, it would be possible to switch on your WiFi hotspot, and search for other friendly WiFi hotspots, and make opportunistic connections to any other Zyre smartphone. (Don't bother looking for Zyre on the marketplace, it's raw material for programmers to make mobile applications.)
If you imagine a group of friends hiking in the mountains, their smartphones could connect to create a small "cell," to use the terminology of mobile phone networks. However, when the same people are in the city, in a bar, or in a demonstration, at a concert, or even at home, they will be in range of several cells.
The cells aren't fixed like mobile phone cells. Instead they switch on and off and move about randomly, since each cell is centered on one smartphone acting for a while as a WiFi hotspot. Now, a smartphone can be in one cell at a time, and as it moves from cell to cell, it can carry information with it. This creates an "asynchronous mesh," in other words, it's possible for data to move across an entire city, slower than we're used to with broadband, yet still fast enough to be useful.
Let me give an example. A woman takes photos of the police arresting a protester. As she takes these photos, they are pushed out to other smartphones in that cell. Those smartphones move away from the scene, and the photos flow over several more hops, and eventually have reached several thousand smartphones across the whole downtown area. It is impossible to know the origin of the photos, impossible to censor them except by physically seizing all phones in the area. That's hard, as they don't have to be visible in order to join a cell.
As people move around the city, the fabric stretches wider and wider. In order to cover the globe, however, I'd exploit those fast-but-stupid broadband connections we all have at home, and create temporary virtual pipes between random pairs, each end of the pipe in a different city. So my PC would connect to a peer in Toronto, then in San Diego, then in Kuala Lumpur, and so on. Modern PCs, fat up from too much gaming, can handle hundreds of such pipes at once. We'd secure and encrypt the pipes using throw-away asymmetric keys. Everything sent on the pipe would be stripped of metadata.
That gives us a global fabric, which I'll dub the "Cellnet." The Cellnet is slow, asynchronous, opportunistic, and works at a human scale, closely tied to our physical movements and proximity to other people. It is a different animal from the Internet we use today, where distance is abstracted to nothing and you never really know who you are talking to. I like the idea of de-abstracting technology.
All of this is possible today, in software, and could take advantage of improvements in hardware and firmware, such as real mesh networking and better batteries. We could build cheap dedicated devices that run the Cellnet: a pocket-sized box that is all battery, with powerful radios, and a couple of blinking lights just because. No screen, no fancy UI software, just a pocket-sized Cellnet node. It could double as a battery recharger for smartphones, which gives plausible deniability to anyone arrested with one, when they are banned. Kickstarter, anyone?
The Cellnet would be extremely hard to spy on or disrupt. It is possible to capture WiFi traffic by being physically very close. However it's also quite easy to secure traffic between two peers to the extent that it cannot be read or modified or faked. The only way to get information is then to seize the phone itself. While physical seizures (including the old "beat them until they talk" technique) are always an option, they do not scale to billions of people. The spy state can still tap into traffic that goes across the Internet, by acting as Cellnet nodes. However it can get very little useful from it, and crucially, cannot tie activity back to individual actors.
The Cellnet isn't fully resistant. One can attack WiFi hotspots by sending out jamming signals. However this will disrupt more than just smartphones, and it means having equipment in the right place at the right time. That is difficult and costly, and security is always about raising the costs to attackers.
Which leaves us with the second part of edgenet, namely applications that can work across the Cellnet. I'm going to describe two types of application, two patterns for communication. First, anonymous broadcasting, where one person sends material to anyone who's listening, without revealing their identity. Second, secure messaging, where one person can send a secret message to another person, without an attacker reading the message, modifying it, or sending a fraudulent message.
Anonymous Communities
There is one interesting response to the loss of privacy. Instead of fighting it, that is to embrace it and turn it into an asset. OK, there are people with the power to track us as individuals and map out our lives, so they can manipulate us, or control us. However if we can become truly anonymous, that power has no effect on us.
Most on-line communities depend on identities, in the form of user profiles. It's especially valid for social networks, which boast our photos, biographies, and other tidbits meant to make us look attractive. Flattery to our egos is the sugar kick that keeps us coming back. Perhaps I'm projecting here, yet I certainly use social networks more to see who's retweeted or upvoted my latest amazing comment, than to learn interesting new things. Shame on me.
Strong identities can be healthy for a community. People will say fewer stupid things if it harms their reputation. However "stupid" is quite relative, and strong identities make the speaker more important than the message. This amplifies some voices while suppressing others. This can make communities less smart than they would be without any identity at all. One alternative is the anonymous community, epitomized by 4chan. This collection of "image boards" is famous for the amount of garbage posted. and it is also the birthplace of Anonymous, one of the most effective on-line communities to ever exist.
I think that anonymous communities are becoming a template for political organization. Digital politics look nothing at all like industrial-age politics. There are no parties, no politicians, no budgets, and no States. Instead, there are armies of self-organized, anonymous, paranoid, and highly competent people organized around insane missions. They are willing and capable of challenging any authority, and they respond to any threat with full-on, unfettered action. It might look like a bunch of out-of-control teenagers, yet it's something much, much stranger.
If you have not read Iain M Banks' work, you might want to. He died in 2013, too young, from cancer. His Culture series, which inspired the title of this project, describes some strange worlds. However his most bizarre creations are his machine intelligences, the Minds).
The Minds roam the universe doing playful, arbitrary things, until there is a threat to their precious Culture. Then they swing around, and with unflinching psychopathic brutality, no matter how long it takes or how much it costs, they take care of business. Then they get back, metaphorically speaking, to exchanging photos of cats. This is how I see anonymous communities today, and in the future: they are our Minds.
Anonymous broadcasting is very well suited to the Cellnet, it is almost the natural pattern. In fact, it's a pattern that was widely used before the Web, and is even still used in corners of the Internet. I'm talking about the global discussion system called Usenet. Usenet looks like a combination of email and forums. You subscribe to some topics, and then receive posts on those topic, asynchronously, as your local server chats with other servers. Usenet is where FAQs and spam originated.
Anonymous broadcasting -- using the Usenet protocols or something very much like them -- also solves the problem of how to avoid flooding the Cellnet.
Social Networks
There are ways to communicate that are considered secure. People do still trust Tor, "Off-the-record" (OTR) chatting, and cryptographic layers like GnuPG. However, as I've explained, these are still vulnerable in various ways. Even if you do wrap your messages in unbreakable end-to-end security, so no server in the middle can ever see the unencrypted data, you are still providing that metadata, which can be sufficient to build a case against you. Simply talking to a person of interest, no matter what you say, can make you a person of interest in turn. Moreover, it's likely that the very use of Tor or other detectable strong encryption from a given network address raises a red flag.
Privacy, the reason for secure messaging, is not a whimsical notion. It is the basis for any relationship that does not explicitly belong in the public domain. It's true that we've gotten used to exposing our relations, like tattoos, on social networking sites. Look how many followers I have! However it strikes me as essentially trashy when two people can become "friends" with a click. Social networks have become a game to their users, and it's a game played with lives.
I think our current "social networks" are little more than emotional candy bars. They look like food, yet are empty of real nourishment. They are addictive, providing an excess of a naturally rare thing, namely social company. And I think they make us unhealthy, vulnerable, unfulfilled and, ultimately, not very happy.
A sustainable social network would be a collection of real relationships, not clicks. It would be based on private relationships, since to expose one's relationships makes it them public assets. That may work in some contexts, and certainly in open communities, yet open communities seem to be a different animal than social networks. Each person's social network, that map of our relationships and how important each one is to us, would be owned by each of us, and no one else.
To build up a relationship with a given person, I'd want to call, chat, send photos, share web links, code, and so on, with that person. I'd do this over time, and keep doing it, or the relationship would become stale and uninteresting. This is how it works in real life, and this is how I'd expect my computerized life to work.
I've implied two things here, which I'll say explicitly. One, we don't need a central website to make these exchanges happen. That would be like going to the reception to check if you got post. It is somewhat ridiculous. New messages should arrive seamlessly on our phones or laptops, as indeed they do for the systems that work well: emails, Twitter updates, text messages.
The asynchronous "you got mail" world is much smoother than the synchronous "go to reception to check your inbox" world. In an asynchronous world we have different kinds of stuff going on. Urgent messages that we want to see soon. Normal stuff that can take a few minutes, even longer to arrive. Slow stuff that can take hours or even days to get to us. Again, this is how the real world works, and though I appreciate instant gratification as much as anyone, there is a certain art in building large systems that work just as we expect.
The second thing is, why should the business that operates that social network website own our data? Some people claim the CIA invested heavily into Facebook through its In-Q-Tel venture capital vehicle. True or not, Facebook, and firms like it, are able to track our private lives. Even if you do not use this site, every time your friends tag you in a photo or mention your name, that is added to your shadow file.
What's wrong with this picture? Let me give you a one-line definition of "ethics": it is the balance of power in a relationship. When businesses own your social networks, there is no balance of power. That's fine in a world where we can grant unlimited trust to those with power. We do not however live in that world, and I doubt the universe has such a planet in it. Those in power seek power, by definition, and do what they feel they must to retain it.
In a world where the state sees its own citizens as a prime threat to its power, that means building a framework of repression and control. Who you know, where you go, what you say, what you think out loud... these are the data that have sent thousands and millions to their deaths in the past. Agreed, the very notion of the spy state watching and perhaps hunting us, the idea that we live in mortal fear of our own elected governments is highly uncomfortable, close to paranoia.
However, why even take the risk? We can build social networks over the Cellnet. They will be asynchronous and distributed and impossible to trace, except by physical seizure or brute-force hacking of individual devices, the most costly and impractical of surveillance options.
We would want end-to-end security, as GnuPG or ZeroMQ provides, and some form of anonymous routing across nodes, as I've already described. We could exchange security keys by touching our phones together, using the near-field communications, or NFC, feature that many smartphones have. Then we could share data privately, and securely, over multiple hops, whether we're still in the same city, or half-way around the world.
As a user experience, it's simple. I have stuff (code, photos, ideas, documents, music) that I want to share with one or more people. I choose the stuff, click Share (it should be a physical button on the phone) and it pops up my most important groups and people. I choose who to share it with, and that's it.
The actual sharing might take hours or days, as I meet people and our phones exchange data. My stuff hops leisurely across the Cellnet, sometimes getting lost and trying again, until it finds its destination. I don't really care. With enough people connected, data can travel very rapidly and if I really have gigabytes to send, I'll wait until I see the person and we can work over a direct WiFi link.
That's it. It is a short description of what I'd like to help build, or see happen.